diff --git a/docs/adr/0017-cctv-physical-cabling.svg b/docs/adr/0017-cctv-physical-cabling.svg new file mode 100644 index 00000000..6088f9e3 --- /dev/null +++ b/docs/adr/0017-cctv-physical-cabling.svg @@ -0,0 +1,126 @@ + + + + + + + + + + + ADR-0017 — physical cabling (single-switch, rev 3) + wires only — no VLANs, no traffic · solid = in place · dashed = camera-day · ~ = radio + + + + APARTMENT + + ☁ ISP (internet) + + + + AX6000 router + 192.168.1.1 · WAN←ISP · 8×LAN + + + Synology NAS · .13 + on an AX6000 LAN port + + + 📶 wifi clients (phones, laptops) + + + + + in-wall run → garage + + + + GARAGE — RACK + + + + TL-SG105PE · 5-port gigabit PoE switch + mgmt 192.168.1.6 · replaces the old TL-SG105E (→ shelf, cold spare) + + + P1 + ← apartment + + P2 + ← 4G router + + P3 + ← UPS mgmt + + P4 ⚡PoE + ← camera + + P5 + ← R730 eno1 + + every cable below re-plugs old-switch → PE on camera day (≈3 min) + + + + 4G router · 192.168.1.7 + ~cellular uplink (out-of-band) + + + 📡 cellular + + + + UPS (Huawei) + network mgmt card + + + + + Dell R730 · PVE host · 192.168.1.127 + + + eno1 · LAN1 + ← switch P5 · 1GbE + + eno2 · LAN2 + dark · fallback leg + + eno3 / eno4 + free, uncabled + + iDRAC · .4 + shared-LOM/eno1 + + no other network cables — everything else on this host is VIRTUAL: + pfSense · ha-sofia (HA) · devvm · k8s-master + node1-6 · registry VM … + (power: host + switch fed from the UPS — power wiring not drawn) + + + LAN1 cable + + + + GARAGE ENTRANCE + + vermont-garage camera + HiLook IPC-T241H-C · 10.0.30.70 + powered over the data cable (PoE) + outdoor · armored conduit + + + single cat6 in conduit · data + PoE power (camera day) + + + + + copper, in place + + camera-day cable / dark port + + radio (wifi / cellular) + total wired links at the rack: 5 (all on the one switch) · ADR-0017 rev 3 + + diff --git a/docs/adr/0017-cctv-segment-dedicated-pfsense-leg.md b/docs/adr/0017-cctv-segment-dedicated-pfsense-leg.md index 7b06f0e4..152e177b 100644 --- a/docs/adr/0017-cctv-segment-dedicated-pfsense-leg.md +++ b/docs/adr/0017-cctv-segment-dedicated-pfsense-leg.md @@ -4,6 +4,8 @@ Status: accepted (2026-07-02, rev 3 — single-switch) ![Network topology — dCCTV segment, flows, and camera-day steps](./0017-cctv-segment-topology.svg) +![Physical cabling — wires only, no VLANs](./0017-cctv-physical-cabling.svg) + The first owned camera at the Sofia/Vermont site (`vermont-garage`, HiLook IPC-T241H-C at the garage entrance) needs to be network-isolated: its cable is physically exposed outside the apartment, so anything plugged into that cable @@ -35,6 +37,52 @@ may reach ISAPI/RTSP directly; home-LAN clients route in via an AX6000 static route (10.0.30.0/24 via 192.168.1.2). 10.0.30.0/24 is deliberately NOT in the 10.0.20.0/22 trusted source-IP allowlist. +## Traffic on the trunk — how one cable carries two networks + +The LAN1 cable is shared, but the two networks on it diverge at `vmbr0` +(the vlan-aware bridge on the PVE host), and only ONE of them ever touches +pfSense: + +- **Untagged (VLAN 1, home LAN)** is plain L2 bridging: vmbr0 switches it + between the trunk, the host's own IP (192.168.1.127) and pfSense `net0` — + where pfSense sits as an ordinary LAN *client* (WAN 192.168.1.2). The home + LAN's gateway is and remains the AX6000; home-LAN traffic never transits + pfSense. Consequently a pfSense (or R730 VM-level) outage does not affect + the home LAN, and the apartment ↔ 4G-router ↔ UPS paths don't even leave + the switch (P1/P2/P3 bridge internally), so out-of-band recovery via the + 4G router survives the whole rack being down. +- **Tagged 30 (CCTV)** has exactly one possible landing: vmbr0 delivers + VID 30 only to pfSense `net3` (dCCTV, 10.0.30.1), which is the camera + segment's gateway, firewall and sole exit. "Camera → AX6000 → internet" + is impossible by construction, not merely by firewall rule. +- pfSense forwards *upstream* only its own segments (10.0.10/20/30), NATed + out of its WAN toward the AX6000. Load-wise the trunk gained only the + camera's ~8 Mbps — it already carried all rack-bound home-LAN traffic. + +```text + INTERNET ── AX6000 192.168.1.1 (home GW; camera-day route 10.0.30.0/24 → .2) + │ + │ apartment uplink · V1 untagged + ┌──────────────┴───────────────────────────────┐ ┌────────────────────┐ + │ TL-SG105PE (mgmt 192.168.1.6) │ │ vermont-garage │ + │ P1 apartment · P2 4G .7 · P3 UPS [VLAN 1] │◄───┤ HiLook, pure IR │ + │ P4 camera PoE [VLAN 30] │cat6│ 10.0.30.70 (Kea) │ + │ P5 TRUNK: V1 untagged + V30 tagged │ └────────────────────┘ + └──────────────┬───────────────────────────────┘ + │ ONE cable (existing LAN1 run) + ┌──────────────┴───────────────────────────────────────────────┐ + │ R730 · eno1 → vmbr0 (vlan-aware) │ + │ ├─ untagged → host .127 + pfSense net0 WAN 192.168.1.2 │ + │ └─ tag 30 → pfSense net3 dCCTV 10.0.30.1/24 (camera GW) │ + │ eno2 → vmbr2: dormant fallback leg │ + │ vmbr1: tag 10 → dManagementsVms · tag 20 → dKubernetes (k8s, │ + │ Frigate on node1, go2rtc LB 10.0.20.204 → HA live) │ + └───────────────────────────────────────────────────────────────┘ + + Frigate 10.0.20.x ─RTSP :554─► camera · ha-sofia .8 ─:80+:554─► camera + camera ─NTP :123─► 10.0.30.1 · camera → anything else = DENY +``` + ## Considered options - **802.1Q over the LAN path behind an UNMANAGED switch** (the original plan